Biggest heist on Twitter? Major hack sparks concerns over platform security

The official Twitter accounts of Apple, Elon Musk, Bill Gates, Jeff Bezos, and others were hijacked by scammers trying to dupe people into sending cryptocurrency bitcoin in the hope of doubling their money.

Twitter posts, which have been deleted, were fired off from an array of high-profile accounts on Wednesday telling people they had 30 minutes to send $1,000 in bitcoin in order to be sent back twice as much.

"This is a SCAM, DO NOT participate!" Gemini cryptocurrency exchange co-founder Cameron Winklevoss warned in a tweet from his official account at Twitter.

"This is the same attack/takeover that other major crypto twitter accounts are experiencing. Be vigilant!"

'Coordinated social engineering attack'

In a series of tweets, Twitter said: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."

The hackers then "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".

The company statements confirmed the fears of security experts that the service itself (rather than users) had been compromised.

Scammers grab over $110,000 worth of cryptocurrency

Several accounts of cryptocurrency-focused organisations were also hijacked.

Biden's campaign was "in touch" with Twitter, according to a person familiar with the matter. 

The person said the company had locked down the Democrat's account "immediately following the breach and removed the related tweet".

Tesla and other affected companies were not immediately available for comment.

Publicly available blockchain records show that the apparent scammers have already received more than $110,000 worth of cryptocurrency.

"It is an unprecedented attack," Jeffrey Bishku-Aykul, a social media analyst, told TRT World.

Greg Evans of National Cyber Security Ventures told TRT World that the Twitter hacking of high-profile celebrities could be an inside job. 

Worst hack to date

By evening, 400 bitcoin transfers were made worth a combined $120,000. Half of the victims had funds in US bitcoin exchanges, a quarter in Europe and a quarter in Asia, according to forensics company Elliptic.

Those transfers left history that could help investigators identify the perpetrators of the hack. The financial damage may be limited because multiple exchanges blocked other payments after their own Twitter accounts were targeted.

The damage to Twitter's reputation may be more serious. Most troubling to some was how long the company took to stop the bad tweets.

"Twitter's response to this hack was astonishing. It's the middle of the day in San Francisco, and it takes them five hours to get a handle on the incident," said Dan Guido, CEO of security company Trail of Bits.

An even worse scenario was that the bitcoin fraud was a distraction for more serious hacking, such as harvesting the direct messages of the account holders.

Twitter said it was not yet certain what the hackers may have done beyond sending the bitcoin messages.

"We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it," the company said.

Mass compromises of Twitter accounts via theft of employee credentials or problems with third-party applications that many users employ have occurred before.

Wednesday's hack was the worst to date. Several users with two-factor authentication - a security procedure that helps prevent break-in attempts - said they were powerless to stop it.

"If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction," said Michael Borohovski, director of software engineering at security company Synopsys.